If your nerves haven’t been rattled by the October 21st DNS attacks, they should have been. The hysterical tenor of the US election drowns everything out, but this news was a real doozy. Many sites, including Twitter, Spotify, and AirBnB were inaccessible due to one of the largest denial of service attack ever.

* * *

So given the state of a possible escalating cyberwar, how is an attorney to stay safe? Start by making sure you understand and live by these basic security rules . . . .

International security authorities spent close to two years pursuing a criminal site called Darkode, where hackers could buy and sell malware meant to steal information. On the international site, which could only be accessed with a referral and a password, hackers advertised and sold their homemade software. Criminals who bought it could steal anything from Facebook follower lists to database account passwords.

Technology is changing literally all the time. Unfortunately, the law does not. Congress has yet to update the 1986 Electronic Communications Privacy Act. For example, there is no law that emails stored longer than 6 months has the same protection emails stored less than 6 months.

To date, there are no NSA reforms for surveillance of online communication. It is possible that Congress will go farther and mandate “back doors” to allow government to access more digital information. Reports of hackers accessing our financial and private information are no longer surprising. Although companies assure us that our information is secure, is it?

These matters go the heart of digital privacy issues for companies and individuals and FOIA requests. Some of you will be surprised how vulnerable we are. -CCE

In February, we discussed a report about data breach trends in 2014 and how those trends compared to data breaches in 2013. That report provided breach trends for several industries, including the healthcare industry, which suffered the most breaches last year (possibly because stolen health records are apparently worth big money). But, according to a recent report, you won’t see any trends for law firms because the legal profession almost never publicly discloses a breach. . . .

My guess is that most people who use a smart phone access some kind of confidential information, such as your bank account or conversations with a client or the office. If you do not have a PIN lock on your smart phone, this truly is special kind of stupid.

This is not a hard one to understand. If you use your cell phone to communicate with clients, sync your phone to your office computer and docket, or attach yourself to your office and confidential information – without taking simple, basic security measures – you are inviting a dangerous breach of confidentiality. -CCE

44% of respondents say it’s too much of a hassle, new survey reports.

People put a lot of sensitive info on their phones, but they often give little though to how secure their data is. In a survey by a security company, over half of the respondents said they didn’t bother with a PIN lock. This takes on a whole new dimension when you begin to understand how many of these people keep corporate data on the device.

Losing an unlocked phone can be far worse than losing a wallet. Emails on the device alone can reveal a wealth of information about the person, including where they bank, where they live, names of family members, and more. If company email is on the device, and it often is, there can be competitive information, salaries, system passwords, etc. If any of those emails contain links, often clicking on it will take you into the website, be it Facebook or a corporate portal.

According to Confident Technologies, 65% of users have corporate data on their phone, even though only 10% actually have a corporate issued device.

For that majority that don’t lock their phone at all, 44% said it is too much of a hassle to lock it and 30% said they weren’t worried about security. These are likely the same people that store things like social security numbers, passwords, and other sensitive information in text files or basic note applications. They may even store their computer’s password on a Post-It Note in their center desk drawer. . . .

It really is the iPhone’s fault. Yes, Apple is to blame for designing the most desirable piece of technology of the last decade. So desirable, in fact, that employees of all stripes requested (and, often, begged) their IT departments to toss the increasingly-‘corporate’ Blackberry out the window and allow the use of their personal iPhones for corporate emails and calls. As a result, we have been living in the age of ‘Bring Your Own Device’ where employees use a single personal mobile phone (or tablet) for both their personal email, texting, and social media while also using it for work email, word processing, and other enterprise applications.

Before the Bring Your Own Device era, a company’s greatest out-of-office security concern was an employee who left a briefcase in a taxi. Today, the worry is an employee misplacing a device the size of wallet containing almost limitless amounts of data that criminals or hackers would easily and quickly exploit if given the chance. Clearly, there is an obvious financial motivation for all businesses to protect their own or customer’s sensitive data.

However, lawyers face particular ethical consequences if they fail to take reasonable efforts to either investigate the technologies that they implement or protect their client’s confidential information. . . .

The Chinese army knows this vulnerability and attacks American employees every day to steal trade secrets and gain commercial advantage for Chinese businesses.

Criminal hackers can cause tremendous damage, whether trained in China or not. If a high level expert, such as any member of China’s elite Unit 61398, aka Comment Crew, gets into your system, they can seize root control, and own it. They can then plant virtually undetectable back doors into your systems. This allows them to later come and go as they please. . . .